Breached website detection and notification

ABSTRACT

System and methods for a cloud-based approach to breached website detection and notification as a security service are provided. According to one embodiment, a network security device protecting a private network of an enterprise, intercepts information associated with an interaction with a website by a browser of a client device associated with the private network. The network security device, based on the information, proactively determines whether the website or a domain with which the website is associated has been reported as having been breached by querying a cloud-based security service that actively maintains a list of breached websites. In response to the determining being affirmative, the network security device notifies the user regarding an occurrence of a security breach involving the domain or the website by issuing a replacement Hypertext Transfer Protocol (HTTP) response message to the browser.

COPYRIGHT NOTICE

Contained herein is material that is subject to copyright protection.The copyright owner has no objection to the facsimile reproduction ofthe patent disclosure by any person as it appears in the Patent andTrademark Office patent files or records, but otherwise reserves allrights to the copyright whatsoever. Copyright © 2019, Fortinet, Inc.

BACKGROUND Field

The present invention generally relates to the field of cybersecurityand, in particular, to a cloud-based approach to detection andnotification regarding breached websites as a security service.

Description of the Related Art

A security breach is an incident that results in unauthorized access ofdata, applications, services, networks and/or devices as a result ofbypassing their underlying security mechanisms. Over the past years,there has been an increase in breaches resulting in exposure of severalmillion personal records, such as usernames, email addresses, passwordsand credit card information, hosted on large public websites and hackingforums.

Password policies employed by enterprises typically only enforcecomplexity and frequency requirements in connection with requiringchanges to user passwords. Notably, however, this is not enough toascertain whether an employee has reused one or more social media and/orother public account passwords on the enterprise network. When awebsite's password data is exposed as a result of a breach, typicallythe website resets users' passwords and prompts users to change theirpasswords the next time they login; however, this doesn't force users tochange passwords on other accounts, including enterprise accounts (e.g.,email accounts, remote access accounts and the like), which may exposethose other user accounts to hackers who will try to exploit thepasswords obtained via the breach to gain access to other websites andnetworks on which the users may have accounts by way of so-calledcredential stuffing attacks, for example, in which bots automaticallytest millions of email and password combinations on a whole range ofwebsite login pages.

In view of the foregoing, there exists a need in the art to develop atechnique that proactively identifies security breaches and notifiesaffected users to change associated passwords for the domain at issue aswell as enterprise accounts.

SUMMARY

Systems and methods are described for a cloud-based approach to breachedwebsite detection and notification as a security service. According toone embodiment, a network security device protecting a private networkof an enterprise, intercepts information associated with an interactionwith a website by a browser of a client device associated with theprivate network. The network security device, based on the information,proactively determines whether the website or a domain with which thewebsite is associated has been reported as having been breached byquerying a cloud-based security service that actively maintains a listof breached websites. In response to the determining being affirmative,the network security device notifies the user regarding an occurrence ofa security breach involving the domain or the website by issuing areplacement Hypertext Transfer Protocol (HTTP) response message to thebrowser.

Other features of embodiments of the present disclosure will be apparentfrom accompanying drawings and from detailed description that follows.

BRIEF DESCRIPTION OF THE DRAWINGS

In the figures, similar components and/or features may have the samereference label. Further, various components of the same type may bedistinguished by following the reference label with a second label thatdistinguishes among the similar components. If only the first referencelabel is used in the specification, the description is applicable to anyone of the similar components having the same first reference labelirrespective of the second reference label.

FIG. 1 illustrates an exemplary network architecture in which or withwhich embodiments of the present invention can be implemented.

FIG. 2 illustrates an exemplary module diagram for alerting a user inevent of a security breach in accordance with an embodiment of thepresent invention.

FIGS. 3A-C exemplary interactions with a breach detection system inaccordance with an embodiment of the present invention.

FIG. 4 illustrates a flow diagram for alerting a user in the event of asecurity breach in accordance with an embodiment of the presentinvention.

FIG. 5 is a flow diagram illustrating a process for enabling a user tochange a password responsive to detecting the user is interacting with awebsite that has been the subject of a security breach in accordancewith an embodiment of the present invention.

FIG. 6 illustrates an exemplary computer system in which or with whichembodiments of the present invention may be utilized in accordance withembodiments of the present invention.

DETAILED DESCRIPTION

System and methods are described for a cloud-based approach to breachedwebsite detection and notification as a security service. In thefollowing description, numerous specific details are set forth in orderto provide a thorough understanding of embodiments of the presentinvention. It will be apparent to one skilled in the art thatembodiments of the present invention may be practiced without some ofthese specific details.

Embodiments of the present invention include various steps, which willbe described below. The steps may be performed by hardware components ormay be embodied in machine-executable instructions, which may be used tocause a general-purpose or special-purpose processor programmed with theinstructions to perform the steps. Alternatively, steps may be performedby a combination of hardware, software, firmware and/or by humanoperators.

Embodiments of the present invention may be provided as a computerprogram product, which may include a machine-readable storage mediumtangibly embodying thereon instructions, which may be used to program acomputer (or other electronic devices) to perform a process. Themachine-readable medium may include, but is not limited to, fixed (hard)drives, magnetic tape, floppy diskettes, optical disks, compact discread-only memories (CD-ROMs), and magneto-optical disks, semiconductormemories, such as ROMs, PROMs, random access memories (RAMs),programmable read-only memories (PROMs), erasable PROMs (EPROMs),electrically erasable PROMs (EEPROMs), flash memory, magnetic or opticalcards, or other type of media/machine-readable medium suitable forstoring electronic instructions (e.g., computer programming code, suchas software or firmware).

Various methods described herein may be practiced by combining one ormore machine-readable storage media containing the code according to thepresent invention with appropriate standard computer hardware to executethe code contained therein. An apparatus for practicing variousembodiments of the present invention may involve one or more computers(or one or more processors within a single computer) and storage systemscontaining or having network access to computer program(s) coded inaccordance with various methods described herein, and the method stepsof the invention could be accomplished by modules, routines,subroutines, or subparts of a computer program product.

Terminology

Brief definitions of terms used throughout this application are givenbelow. Although the present disclosure has been described with thepurpose of conducting network auditing, it should be appreciated thatthe same has been done merely to illustrate the invention in anexemplary manner and any other purpose or function for which theexplained structure or configuration can be used, is covered within thescope of the present disclosure.

As used in the description herein and throughout the claims that follow,the meaning of “a,” “an,” and “the” includes plural reference unless thecontext clearly dictates otherwise. Also, as used in the descriptionherein, the meaning of “in” includes “in” and “on” unless the contextclearly dictates otherwise.

The terms “connected” or “coupled” and related terms are used in anoperational sense and are not necessarily limited to a direct connectionor coupling. Thus, for example, two devices may be coupled directly, orvia one or more intermediary media or devices. As another example,devices may be coupled in such a way that information can be passedthere between, while not sharing any physical connection with oneanother. Based on the disclosure provided herein, one of ordinary skillin the art will appreciate a variety of ways in which connection orcoupling exists in accordance with the aforementioned definition.

The phrase “endpoint device” generally refers to a network-capablecomputer hardware device, typically on a Transmission Control Protocol(TCP)/Internet Protocol (IP) network. Non-limiting examples of endpointdevices include servers, desktop computers, laptops, smart phones,tablets, thin clients, Internet of Things (IoT) devices, printers orother specialized hardware (e.g., Point of Sale (POS) terminals andsmart meters).

The phrases “endpoint protection system” or “endpoint security solution”generally refers a system that (i) focuses on protecting endpointdevices in a network from cyber threats and attacks by maliciousinternal and external threats, (ii) provides endpoint managementfunctionality, for example, allowing a network administrator to identifyand manage the users' computers access over a corporate or enterprisenetwork and/or (iii) protects the enterprise network by blocking accessattempts and/or other risky activity at these points of entry to theenterprise network. An endpoint protection system may proactively defendendpoints with one or more of pattern-based anti-malware technology,behavior-based exploit protection, web-filtering, and an applicationfirewall. For example, a network administrator may configure theendpoint protection system to restrict certain website access tospecific users in order to maintain and comply with an organization'spolicies and standards. Similarly, an endpoint protection system mayprovide antivirus/antimalware, sandbox protection and/or vulnerabilitymanagement scanning and may additionally be configurable to remediateidentified issues and/or automatically quarantine a suspicious orcompromised endpoint in order to contain incidents and stem outbreaks.Non-limiting examples of endpoint protection systems include theFortiClient endpoint security solution (available from the assignee ofthe present invention), Cybereason, Sentinel. One endpoint securitysoftware, Stormshield SES, ForeScout CounterAct, Promisec PEM,CounterTack Sentinel, CrowdStrike Falcon Host, Guidance Software Encase,and Comodo Advanced Endpoint Protection.

The phrase “network security device” generally refers to a hardwaredevice or network appliance configured to be coupled to a network and toprovide one or more of data privacy, protection, encryption andsecurity. The network security device can be a device providing one ormore of the following features: network firewalling, VPN, antivirus,intrusion prevention (IPS), content filtering, data leak prevention,antispam, antispyware, logging, reputation-based protections, eventcorrelation, network access control, vulnerability management. Loadbalancing and traffic shaping—that can be deployed individually as apoint solution or in various combinations as a unified threat management(UTM) solution. Non-limiting examples of network security devicesinclude proxy servers, firewalls, VPN appliances, gateways, UTMappliances and the like.

The phrase “network appliance” generally refers to a specialized ordedicated device for use on a network in virtual or physical form. Somenetwork appliances are implemented as general-purpose computers withappropriate software configured for the particular functions to beprovided by the network appliance; others include custom hardware (e.g.,one or more custom Application Specific Integrated Circuits (ASICs)).Examples of functionality that may be provided by a network applianceinclude, but is not limited to, Layer 2/3 routing, content inspection,content filtering, firewall, traffic shaping, application control, Voiceover Internet Protocol (VoIP) support, Virtual Private Networking (VPN),Internet Protocol (IP) security (IPSec), Secure Sockets Layer (SSL),antivirus, intrusion detection, intrusion prevention, Web contentfiltering, spyware prevention and anti-spam. Examples of networkappliances include, but are not limited to, network gateways and networksecurity devices (e.g., FORTIGATE family of network security devices andFORTICARRIER family of consolidated security appliances), messagingsecurity appliances (e.g., FORTIMAIL family of messaging securityappliances), database security and/or compliance appliances (e.g.,FORTIDB database security and compliance appliance), web applicationfirewall appliances (e.g., FORTIWEB family of web application firewallappliances), application acceleration appliances, server load balancingappliances (e.g., FORTIBALANCER family of application deliverycontrollers), vulnerability management appliances (e.g., FORTISCANfamily of vulnerability management appliances), configuration,provisioning, update and/or management appliances (e.g., FORTIMANAGERfamily of management appliances), logging, analyzing and/or reportingappliances (e.g., FORTIANALYZER family of network security reportingappliances), bypass appliances (e.g., FORTIBRIDGE family of bypassappliances), Domain Name Server (DNS) appliances (e.g., FORTIDNS familyof DNS appliances), wireless security appliances (e.g., FORTIWIFI familyof wireless security gateways), FORIDDOS, wireless access pointappliances (e.g., FORTIAP wireless access points), switches (e.g.,FORTISWITCH family of switches) and IP-PBX phone system appliances(e.g., FORTIVOICE family of IP-PBX phone systems).

If the specification states a component or feature “may”, “can”,“could”, or “might” be included or have a characteristic, thatparticular component or feature is not required to be included or havethe characteristic.

The recitation of ranges of values herein is merely intended to serve asa shorthand method of referring individually to each separate valuefalling within the range. Unless otherwise indicated herein, eachindividual value is incorporated into the specification as if it wereindividually recited herein. All methods described herein can beperformed in any suitable order unless otherwise indicated herein orotherwise clearly contradicted by context. The use of any and allexamples, or exemplary language (e.g. “such as”) provided with respectto certain embodiments herein is intended merely to better illuminatethe invention and does not pose a limitation on the scope of theinvention otherwise claimed. No language in the specification should beconstrued as indicating any non-claimed element essential to thepractice of the invention.

Groupings of alternative elements or embodiments of the inventiondisclosed herein are not to be construed as limitations. Each groupmember can be referred to and claimed individually or in any combinationwith other members of the group or other elements found herein. One ormore members of a group can be included in, or deleted from, a group forreasons of convenience and/or patentability. When any such inclusion ordeletion occurs, the specification is herein deemed to contain the groupas modified thus fulfilling the written description of all groups usedin the appended claims.

Exemplary embodiments will now be described more fully hereinafter withreference to the accompanying drawings, in which exemplary embodimentsare shown. This invention may, however, be embodied in many differentforms and should not be construed as limited to the embodiments setforth herein. These embodiments are provided so that this disclosurewill be thorough and complete and will fully convey the scope of theinvention to those of ordinary skill in the art. Moreover, allstatements herein reciting embodiments of the invention, as well asspecific examples thereof, are intended to encompass both structural andfunctional equivalents thereof. Additionally, it is intended that suchequivalents include both currently known equivalents as well asequivalents developed in the future (i.e., any elements developed thatperform the same function, regardless of structure).

Thus, for example, it will be appreciated by those of ordinary skill inthe art that the diagrams, schematics, illustrations, and the likerepresent conceptual views or processes illustrating systems and methodsembodying this invention. The functions of the various elements shown inthe figures may be provided through the use of dedicated hardware aswell as hardware capable of executing associated software. Similarly,any switches shown in the figures are conceptual only. Their functionmay be carried out through the operation of program logic, throughdedicated logic, through the interaction of program control anddedicated logic, or even manually, the particular technique beingselectable by the entity implementing this invention. Those of ordinaryskill in the art further understand that the exemplary hardware,software, processes, methods, and/or operating systems described hereinare for illustrative purposes and, thus, are not intended to be limitedto any particular named.

While embodiments of the present invention are described and illustratedherein, it will be clear to those skilled in the art that the inventionis not limited to such embodiments. Numerous modifications, changes,variations, substitutions, and equivalents will be apparent to thoseskilled in the art, without departing from the spirit and scope of theinvention, as described in the claims.

Embodiments of the present disclosure pertain to a cloud-based approachto breached website detection and notification as a security service.Various techniques disclosed herein enable detection of a securitybreach associated with a website requested by a user of a privatenetwork. A proactive alert can be provided to the user when there is apossibility of user information having been exposed as a result of aknown/documented breach of the website at issue. Further, the user canbe redirected to a password change portal associated with the particulardomain of the requested website. In addition, in order to minimize thepossibility of enterprise accounts being hacked, when the user islogging into a breached website, the user can be redirected by a networksecurity device associated with the enterprise network to a passwordportal of the enterprise that enables the user to reset enterpriseaccount passwords.

An aspect of the present disclosure pertains to a method that caninclude intercepting, by a network security device protecting a privatenetwork of an enterprise, information associated with an interactionwith a website by a browser of a client device associated with theprivate network; based on the information, proactively determining, bythe network security device, whether the website or a domain with whichthe website is associated has been reported as having been breached byquerying a cloud-based security service that actively maintains a listof breached websites; and when the determining is affirmative, thennotifying, by the network security device, the user regarding anoccurrence of a security breach involving the domain or the website byissuing a replacement HTTP response message to the browser.

In an embodiment, the list of breached websites contains informationregarding domains and websites for which confidential information ofusers has been exposed.

In an embodiment, the intercepting is as a result of Domain Name System(DNS) based filtering or web filtering performed by the network securitydevice.

In an embodiment, the method can further include prior to the querying,parsing, by the network security device, the information to extract oneor more of a Uniform Resource Locator (URL) associated with the websiteor a Common Name contained within a Secure Socket Layer (SSL)certificate of the website.

In an embodiment, the method can further include causing, by the networksecurity device, the user to reset passwords of their enterpriseaccounts by causing the browser to be redirected to a password portalassociated with the enterprise.

In an embodiment, the method can further include monitoring, by anendpoint security solution running on the client device, inputs by theuser on login portals of public websites; precluding the user fromreusing passwords across public and intranet domains by comparing, bythe endpoint security solution, the inputs to one or more user passwordsfor enterprise accounts of the user; when the comparing results indetection of a match between a password for a particular public websiteand a password of a particular enterprise service, then: causing, by thenetwork security device, the user to reset the password for theparticular public website by causing the browser to be redirected to apassword change portal associated with the public website; and causing,by the network security device, the user to reset the password for theparticular enterprise service by causing the browser to be redirected toa password portal associated with the particular enterprise service.

FIG. 1 illustrates a simplified network architecture 100 in which orwith which embodiments of the present invention can be implemented. Inthe context of the present example, a system 106 can be implementedby/within a network security device 104 for detection of whether awebsite that a user of the private network may be attempting to accessis among those reported to have been the subject of a breach. Networkarchitecture 100 illustrates multiple client devices 110-1, 110-2, . . ., 110-N (which may be collectively referred to as client devices 110 andwhich may be individually referred to as client device 110, hereinafter)that can be communicatively coupled through the private networkprotected by network security device 104.

Network security device 104 can be utilized for interfacing between aninternal or the private network and an external network (e.g., network102), such that client devices 110 of the private network can interactwith network resources residing outside of the private network. Theprivate network can pertain to an enterprise such as an organization, acompany, an entity, a workplace and the like and may only be accessibleto users associated with the enterprise through client devices 110.Also, the enterprise may provide enterprise services or enterprisedomains that users of the private network are permitted to access usingenterprise accounts. In one embodiment, the users can be employees,staff, workforce or any other person that is associated with theenterprise. Non-limiting examples of client devices 110 include personalcomputers, smart devices, web-enabled devices, hand-held devices,laptops, tablet computers, mobile phones and the like that can be usedby the users to connect to the private network.

As will be appreciated by those skilled in the art, the various networksdescribed herein can include one or more wireless networks, wirednetworks or a combination thereof that can be implemented as part ofdifferent types of networks, such as an Intranet, a Local Area Network(LAN), a Wide Area Network (WAN), the Internet, and the like. Further,the networks can either be a dedicated network or a shared network. Theshared network represents an association of the different types ofnetworks that use a variety of protocols, for example, HypertextTransfer Protocol (HTTP), Transmission Control Protocol/InternetProtocol (TCP/IP), Wireless Application Protocol (WAP), and the like.

Further, the network security device 106 can provide an interfacebetween the private network and the external network by effectivelymanaging and regulating network traffic by utilizing a set of protocols.Non-limiting examples of network security device 106 include a firewall,an antivirus scanning device, a content filtering device, an intrusiondetection device, a Unified Threat Management (UTM) device, a webcaching device, etc. In an exemplary embodiment of the presentdisclosure, system 106 can also be implemented using any or acombination of hardware and software elements. Hardware elements caninclude network devices installed within a private network to enableconnection of client devices 110 such as a router, a bridge, a server,an access point, a gateway, a hub and the like or to provide. Softwareelements can include a web browser, an email client, a mail server, aweb server or other software that processes web traffic. Although in thecontext of various embodiments described herein, system 106 is describedas being implemented in network security device 104, those skilled inthe art will appreciate that system 106 may be deployed in various otherlocations. For example, system 106 can be implemented as a standaloneapplication on client devices 100 or within an endpoint protectionsystem installed on client devices 110.

In an embodiment, database 108 may represent a data store of cloud-basedsecurity service that maintains a list of breached websites inreal-time. As illustrated, database 108 may interact with networksecurity device 104 or system 106 through network 102 in order to enablenetwork security device 104 to query the cloud-based security servicevia a web services interface or a RESTful API, for example, provided bythe cloud-based security service to determine whether a user accessing aresource external to the private network via client device 100 isinteracting with a website known by the cloud-based security service tohave been the subject of a breach.

In an aspect, system 106 can intercept information associated with aninteraction with the website by client device 110 through an interfaceprovided by a browser running on client device 110. Further, system 106can parse the information to extract a URL or domain name associatedwith the website or a common name contained within a SSL certificate ofthe website. In one embodiment, system 106 can perform DNS basedfiltering or web filtering to intercept DNS requests or a common name ofthe SSL certificate to submit such information for a determination bythe cloud-based security service regarding whether there has been areported security breach associated with the requested website or adomain associated therewith. Alternatively or additionally, system 106may extract such information from observed HTTP requests.

In an aspect, system 106 can proactively determine whether the websiteor the domain with which the website is associated has been reported ashaving been breached by querying a cloud-based security service (e.g.,one of the FortiGuard security subscription services available from theassignee of the present invention) implementing database 108 (e.g., aURL or domain name database) that actively maintains a list of breachedwebsites. The list of breached websites may be generated throughresearch and intelligence gathered from various sources, for example,from third parties (e.g., security researchers, reports/databasesavailable from cybersecurity firms, public disclosure/self-reporting byan entity associated with the breached website, press reports, and otheronline resources (e.g., Have I Been Pwned)). According to animplementation, a subscription based model may be utilized for access tothe cloud based security service.

In an aspect, in response to the determination that the website or thedomain with which the website is associated has been breached, system106 can notify the user regarding an occurrence of a security breachinvolving the domain or the website by issuing a replacement HTTPresponse message to the browser of the client device 110. For example,if a website “www.asd.com” requested by a user X has been determined tobe associated with a security breach by system 106, system 106 mayprovide a warning to user X indicating that the requested website hasbeen breached so that user X may decide whether to proceed to access“www.asd.com” or not.

In an embodiment, the replacement HTTP response message may provide alink to a password reset portal for the breached website. Additionallyor alternatively, the replacement HTTP response may provide a link toreset passwords of the user's enterprise accounts associated withenterprise services. Further, in order to provide a secure environmentfor the user of the private network, system 106 implemented in networksecurity device 104, may interact with an endpoint security solutionrunning on client device 110. The integration of system 104 with theendpoint security solution may ensure that the user does not reusepasswords across public and intranet/private or enterprise domains. Theendpoint security solution running on client device 110 can monitorinputs by the user on login portals of public websites such that theuser can be precluded from reusing passwords across public and intranetor enterprise domains.

Those skilled in the art will appreciate that, various embodiments ofsystem 106 may be utilized to alert the user when there is a possibilityof their passwords or account information being exploited, by detectionof security breaches associated with requested websites. Further, theuser can be redirected to password change portal of particular domain ofthe requested website. Furthermore, in order to minimize the possibilityof enterprise accounts being hacked due to reuse of passwords, if theuser is logging into a breached website, the user can be redirected to aportal that enables the user to reset enterprise account passwords.Also, using an endpoint security solution running on client device 110,user inputs on public website can be monitored and compared withenterprise account passwords to proactively prohibit the user from usingthe same passwords across public and enterprise accounts.

FIG. 2 illustrates an exemplary module diagram for alerting a user inevent of a security breach in accordance with an embodiment of thepresent invention. As illustrated, system 200, which may represent anetwork security device (e.g., network security device 104), can includeone or more processor(s) 202. Processor(s) 202 can be implemented as oneor more microprocessors, microcomputers, microcontrollers, digitalsignal processors, central processing units, logic circuitries, and/orany devices that manipulate data based on operational instructions.Among other capabilities, processor(s) 202 are configured to fetch andexecute computer-readable instructions stored in a memory 204 of system200. Memory 204 can store one or more computer-readable instructions orroutines, which may be fetched and executed to create or share the dataunits over a network service. Memory 204 can include any non-transitorystorage device including, for example, volatile memory such as RAM, ornon-volatile memory such as EPROM, flash memory, and the like. In anexample embodiment, memory 204 may be a local memory or may be locatedremotely, such as a server, a file server, a data server, and a Cloud.

System 200 can also include one or more interface(s) 206. Interface(s)206 may include a variety of interfaces, for example, interfaces fordata input and output devices, referred to as I/O devices, storagedevices, and the like. Interface(s) 206 may facilitate communication ofsystem 200 with various devices coupled to system 200. Interface(s) 206may also provide a communication pathway for one or more components ofsystem 200. Examples of such components include, but are not limited to,processing engine(s) 210 and data 208.

Engine(s) 210 can be implemented as a combination of hardware andsoftware or firmware programming (for example, programmableinstructions) to implement one or more functionalities of engine(s) 210.In the examples described herein, such combinations of hardware andsoftware or firmware programming may be implemented in several differentways. For example, the programming for the engine(s) may be processorexecutable instructions stored on a non-transitory machine-readablestorage medium and the hardware for engine(s) 210 may include aprocessing resource (for example, one or more processors), to executesuch instructions. In the examples, the machine-readable storage mediummay store instructions that, when executed by the processing resource,implement engine(s) 210. In such examples, system 200 can include themachine-readable storage medium storing the instructions and theprocessing resource to execute the instructions, or the machine-readablestorage medium may be separate but accessible to system 200 and theprocessing resource. In other examples, engine(s) 210 may be implementedby electronic circuitry. Data 208 can include data that is either storedor generated as a result of functionalities implemented by any of thecomponents of the engine(s) 210.

In an example, processing engine(s) 210 can include an informationinception module 212, a security breach assessment module 214, asecurity breach notification module 216, an enterprise account passwordmaintenance module 218 and other module(s) 220. Other module(s) 220 canimplement functionalities that supplement applications or functionsperformed by system 200 or processing engine(s) 210.

In an aspect, information interception module 212 can interceptinformation associated with an interaction with a website by a webbrowser running on a client device (e.g., client device 110 associatedwith a private network of an enterprise). The information associatedwith the interaction with the website can be obtained via an interfaceprovided by the web browser. For example, when the end user attempts toaccess a website, the user may select a hyper-link associated thewebsite or may manually enter all or a portion (if an autocompletefeature is available) of a web address associated with the website intoan address bar or other graphical control element of the browser. Thus,information interception module 212 can intercept information, such as aweb address associated with a selected hyper-link or a web addresssubmitted via a browser's address bar.

In an embodiment, interception module 212 can parse the information toextract a Uniform Resource Locator (URL) associated with the website.The URL specifies an address on the World Wide Web (WWW) and representsa fundamental network identification for any document or resource, suchas a hypertext page, a video, an image, a sound file and the like on theweb. The URL may contain a protocol identifier indicating what protocolto use and a resource name specifying the Internet Protocol (IP) addressor domain name where the resource is located.

In an embodiment, interception module 212 can also extract a common namecontained within an SSL certificate of the website by parsing theinformation. Those skilled in the art will appreciate that an SSLcertificate of a website aids in protecting privacy, critical security,and ensures data integrity for the website by encrypting sensitive dataso that data remains unreadable while it potentially traverses throughmultiple public networks. The SSL certificate of the website includesthe common name that identifies a host domain name associated with thecertificate. An example of a common name of a website may be in the form“www.abc.com” or “abc.com”.

In one embodiment, information interception module 212 can perform DNSbased filtering or web filtering to intercept the information associatedwith the interaction with the website. The DNS based filtering or webfiltering can be performed using either certificate based inspection orfull SSL inspection for Hypertext Transfer Protocol Secure (HTTPS)traffic. Therefore, when the user makes a request for a website througha client device while connected to the private network, the request canbe parsed by a network security device protecting the private network tofacilitate the security breach determination discussed herein. In analternate embodiment, information interception module 212 can intercepta DNS request or common name of the SSL certificate or the actual HTTPrequest from the information for performing a security breachdetermination.

In an aspect, security breach assessment module 214, based on theinformation, can proactively determine whether the website or a domainwith which the website is associated has been reported as having beenbreached by querying a cloud-based security service that activelymaintains a list of breached websites. In an embodiment, the cloud-basedsecurity service can pertain to database 108 of FIG. 1 that maintains alist of breached websites in real-time. The list of breached websitescan contain information regarding domains and websites for whichconfidential information of users has been exposed. According to oneembodiment, a subscription based model may be utilized to provide accessto the cloud based security service. According to an example, if a userhas requested to visit “www.xyz.com”, security breach assessment module214 may query database 108 to determine whether “www.xyz.com” has beenassociated with a security breach.

In an aspect, in response to the determination that the website or thedomain with which the website is associated has been reported as havingbeen breached, security breach notification module 216 can notify theuser regarding an occurrence of a security breach involving the domainor the website by issuing a replacement HTTP response message, forexample, to the browser. Therefore, when on querying the cloud-basedsecurity service it has been determined that there has been a securitybreach associated with the website that has been requested by the user,security breach notification module 216 can notify the user about thesecurity breach. According to an example, if a website “www.xyz.com”requested by the user has been determined to be associated with asecurity breach by security breach assessment module 214, securitybreach notification module 216 may provide a warning to the userindicating the requested website has been breached. The user may thendecide whether to proceed to access “www.xyz.com” or not.

Additionally, in an embodiment, the replacement HTTP response messagemay also include a variable field that can provide a link to a passwordreset portal for the website that was requested. According to anexample, if a website “www.xyz.com” requested by the user has beendetermined to be associated with a security breach by security breachassessment module 214, security breach notification module 216 mayprovide a warning to the user indicating the requested website has beenbreached and additionally may also redirect the browser to passwordreset portal of the requested website or allow the user to follow aprovided link to the password reset portal. The user may then decidewhether to proceed to access “www.xyz.com” or proceed to change passwordassociated with an account on the website “www.xyz.com”.

In an embodiment, in the event that an occurrence of a security breachhas been determined by security breach assessment module 214, enterpriseaccount password maintenance module 218 can cause the user to resetpasswords of their enterprise accounts by causing the browser to beredirected to a password portal associated with the enterprise. Forexample, in the event of a security breach associated with the requestedwebsite, along with a notification displayed by security breachnotification module 216, enterprise account password maintenance module218 may redirect the user of the private network to change theirpasswords for their accounts within the enterprise. In animplementation, once the warning is displayed, a new browser window mayredirect the user to a portal specified by the enterprise and configuredon the DNS filtering or web Filtering profile of the private network.

Further, in order to provide a secure environment for the user of theprivate network, system 106 implemented in network security device 104,may interact with an endpoint security solution running on client device110. The integration of system 104 with the endpoint security solutionmay affirm that the user does not reuse passwords across public andintranet/private or enterprise domains.

In one embodiment, the endpoint security solution running on clientdevice 110 can monitor and store inputs (in hashed form, for example) bythe user on login portals of public websites such that the user can beprecluded from reusing passwords across public and intranet domains. Theendpoint security solution can preclude the user from reusing thepassword by comparing the inputs to one or more user passwords forenterprise accounts of the user. In an example, user inputs can bemonitored by the endpoint security solution on login portals of publicwebsites such that hash of user passwords for public and enterpriseaccounts can be compared.

In an event when the comparing of the passwords by the endpoint securitysolution results in detection of a match between a password for aparticular public website and a password of a particular enterpriseservice or an enterprise account, then enterprise account passwordmaintenance module 218 can cause the user to reset the password for theparticular public website or the password for the enterprise account bycausing the browser to be redirected to a password change portalassociated with the public website or the enterprise account,respectively. For example, if a user has used a password “QWERTY!@” foran account on public website “www.abc.com” (whether breached or not) andsubsequently attempts to use the same password “QWERTY! @” for anaccount on an enterprise service, enterprise account passwordmaintenance module 218 may require the user to change the password forthe account on the public website “www.abc.com” or may preclude the userfrom using the same password for the enterprise service account.Further, those skilled in the art will appreciate that when any securitybreach on a public website has been detected, the user can be redirectedto the password change portal of that particular website, and at thesame time the endpoint security solution on client device 110 canmonitor the user inputs provided on the password change portal of theparticular website in order to preclude the user from using thepresumably exposed password for any enterprise service accounts.

In an embodiment, enterprise account password maintenance module 218 mayfurther cause the user to reset a password for the particular enterpriseservice by causing the browser to be redirected to a password portalassociated with the particular enterprise service. Those skilled in theart will appreciate that the user can be redirected to the enterprisepassword change portal and endpoint security solution can monitor theuser input on the enterprise password portal as well. Should thepassword provided by the user on the enterprise password portal match apassword provided on a public website (whether breached or not), awarning can displayed that requires the user to use a different passwordfor the enterprise password portal. An exemplary process for enablingthe user to change passwords in the event of determining the existenceof a security breach associated with a requested website is describedfurther below with reference to FIG. 5.

An exemplary implementation of various modules of system 200 isexplained with the help of an example. In an example, a user may haveprovided information to interact with “mail.abc.com” to a browser of aclient device. Information interception module 212 may use DNS or webfiltering to analyze the DNS request and/or Common Name on the SSLcertificate to establish that the user intends to visit “mail.abc.com”.Further, security breach assessment module 214 may then determinewhether “mail.abc.com” or its domain “abc.com” has been reported to beassociated with a security breach by querying database 108 of thecloud-based security service that actively maintains the list ofbreached websites and/or domains associated with breached websites. Inan event when, there is record that “mail.abc.com” has been breached,security breach notification module 216 can notify the user that therequested website has been the subject of a security breach and canissue a replacement HTTP response message to the user. The replacementHTTP response message may be a warning that alerts the user that therequested website has been breached and can provide an option indicating“hit ok to continue”. Further, the user can be redirected to change thepassword of an account associated with the breached website and/or oneor more accounts associated with enterprise services. Further, when theuser is redirected to the change password portal of the enterprise, theintegration of enterprise account password maintenance module 218 andendpoint security solution may prevent the user from using the samepassword for the account on the breached website “mail.abc.com” and theenterprise account.

FIGS. 3A-C illustrate exemplary interactions with a breach detectionsystem in accordance with an embodiment of the present invention. Atstep 1, system 106 implemented in network security device 104 observesan attempt by a client device 110 to interact with a website, forexample, in the form of an HTTP request via a browser of client device.Responsive to the website request, at step 2, system 106 may proactivelydetermine whether the website at issue or an associated domain has beenthe subject of a breach by querying a cloud-based security serviceincluding database 108 that maintains a list of breached websites. Atstep 3, assuming the website at issue is in the list of breachedwebsites, database 108 responds to the query received from system 106indicating the requested website has been breached. At step 4, system106 can cause a message to be presented to a user of the client device110 via the browser.

In the context of the present example, the message is a warningindicating that the requested website is associated with a securitybreach. In this manner, the user can make an informed decision regardingwhether to continue with the requested access to the website.

In the example as illustrated in FIG. 3B, along with the warning, theuser can be provided with a prompt or link to change the password of anaccount on the requested website and/or an enterprise account password.In an implementation, as noted above, the input provided by the user onthe password change portal can be monitored by an endpoint securitysolution running on client device 110. For example, while changing thepassword for the account on the public website, the input provided bythe user can be compared with the password of the user for one or moreenterprise services to make sure the user does not reuse an enterpriseaccount password on a public website. During the monitoring process, ifit is determined that the user has attempted to reuse an enterpriseaccount password for an account on a public website (e.g., by comparinghashed values of the user's enterprise account passwords to a hashedvalue of a password attempted to be used on the public website),submission of the password to the public website may be blocked by theendpoint security solution and the user may be required to chooseanother password, thereby precluding the user from reusing passwordsacross public and intranet domains.

In the example as illustrated in FIG. 3C, along with the warning, theuser can be provided with a prompt or link to change both the passwordof the account on the requested website and an enterprise accountpassword. Again, the input provided by the user on either of thepassword change portals can be monitored by an endpoint securitysolution running on client device 110. For example, while changing thepassword for an enterprise service, the input provided by the user canbe compared with previously captured passwords of the user for accountson public websites or specifically the breached website that wasrequested by the user to make sure the user does not reuse a passwordused on a public website, especially one that has been breached. Duringthe monitoring process, if it is determined that the user's password fora particular public website and a password of a particular enterpriseservice match, the user may be required to choose another password,thereby precluding the user from reusing passwords across public andintranet domains.

FIG. 4 is a flow diagram 400 illustrating alert processing in accordancewith an embodiment of the present invention. In the context of thepresent example, at block 402, network security device (e.g., networksecurity device 104), protecting a private network of an enterprise,intercepts information associated with an interaction with a website bya browser of a client device (e.g., client device 110) associated withthe private network. For example, network security device can performDNS based filtering or web filtering to intercept one or more of DNSrequests, common names of SSL certificates and actual HTTP requests fromnetwork traffic traversing the network security device for analysis todetermine whether such requests might relate to a website associatedwith a security breach. In an embodiment, responsive to intercepting theinformation at issue, a URL associated with the website or a common namecontained within an SSL certificate of the website can be extracted byparsing the information.

At block 404, network security device can proactively determine whetherthe website or a domain with which the website is associated has beenreported as having been breached by querying a cloud-based securityservice that actively maintains a list of breached websites. Thus, thewebsite may be determined to be associated with a security breach if amatch is found in the list of breached websites maintained by thecloud-based security service.

At block 406, when the determining is affirmative (that is, when thecloud-based security service indicates a match has been found for thewebsite requested by the network security device), network securitydevice may notify the user regarding an occurrence of the securitybreach involving the domain or the website, for example, by issuing areplacement HTTP response message to the browser. Thus, the responsemessage may alert the user when he/she is trying to access a websitethat has been associated with a security breach.

Further, in an embodiment, when the user is trying to access a breachedwebsite, network security device may facilitate the user making a changeto the password for an account the user has on the breached websiteand/or an account for one or more enterprise services by redirecting thebrowser to respective password portals associated with the breachedwebsite and/or the enterprise. Additionally, an endpoint securitysolution running on the client device may monitor inputs by the user onlogin portals of public websites to prevent the user from reusingpasswords across public and intranet or enterprise domains, which can beachieved by comparing the inputs to one or more user passwords forenterprise accounts of the user.

FIG. 5 is a flow diagram 500 illustrating a process for enabling a userto change a password responsive to detecting the user is interactingwith a website that has been the subject of a security breach inaccordance with an embodiment of the present invention. In context ofthe present example, at block 502, a user may request a website by, forexample, selecting a hyperlink of a web page displayed within a webbrowser of a client device or entering a URL of the website into anaddress bar of the browser. The client device can be a part of a privatenetwork of an enterprise that is protected by network security device toenable detection regarding whether the requested website is associatedwith a security breach.

At block 504, network security device can intercept informationassociated with the requested website. Those skilled in the art willappreciate there are various mechanisms to intercept such information.Non-limiting examples of intercepting such information includeintercepting the HTTP request or performing DNS filtering or webfiltering to obtain the DNS request or a common name of the SSLcertificate. Further, at block 506, network security device can query acloud-based security service that maintains a database of breachedwebsites. At block 508, network security device can determine whetherthe website has been breached based on the response provided by thecloud-based security service.

At decision block 510, if the website is determined to have been thesubject of a security breach, processing continues with block 512. Ifthe website is determined not to have been the subject of a securitybreach, processing branches to block 514. At block 512, a replacementmessage (e.g., a substitute or modified version of a response providedby the website at issue) can be displayed to the user via the browser.In an example, this replacement message is an HTTP response message thatincludes a warning to the user that the requested website is associatedwith a security breach and that the user can click “OK” to continue.Additionally or alternatively, the response message can encourage,facilitate or require the user to change a password of one or moreenterprise accounts by redirecting the browser to the enterprisepassword change portal, at block 516. At block 514, when the requestedwebsite is not one that has been the subject of a security breach, therequest can simply be logged for future reference. For example, shouldthe website be the subject of a future security breach, the user may beproactively notified by the network security device.

In context of the present example, when the browser has been redirectedto the enterprise password change portal at block 516, the portal mayrequire validation of input provided by the user at block 518. If thevalidation is not required, a log of the password change can bemaintained at block 514. If the validation is required, at block 520, anendpoint security solution running on client device 110 of the user canmonitor the input provided by the user. At decision block 522, thedetermination regarding whether the input is valid can be performed bymatching the user's input with any password previously used by the userfor an account on a public website. If a match is found, the input maybe considered invalid and the user can be redirected to the enterprisepassword portal again at block 516 to require the user to use adifferent password. At block 524, if the user input is found to bevalid, the log can be updated at block 514.

FIG. 6 illustrates an exemplary computer system in which or with whichembodiments of the present invention may be utilized in accordance withembodiments of the present invention. Computer system 600 may representa network security device (e.g., network security device 104) or aclient device (e.g., client device 110).

As shown in FIG. 6, computer system includes an external storage device610, a bus 620, a main memory 630, a read only memory 640, a massstorage device 650, communication port 660, and a processor 670.Computer system may represent some portion of a network security device(e.g., network security device 104) or system 106.

Those skilled in the art will appreciate that computer system 600 mayinclude more than one processor 670 and communication ports 660.Examples of processor 1070 include, but are not limited to, an Intel®Itanium® or Itanium 2 processor(s), or AMD® Opteron® or Athlon MP®processor(s), Motorola® lines of processors, FortiSOC™ system on a chipprocessors or other future processors. Processor 670 may include variousmodules associated with embodiments of the present invention.

Communication port 660 can be any of an RS-232 port for use with a modembased dialup connection, a 10/100 Ethernet port, a Gigabit or 10 Gigabitport using copper or fiber, a serial port, a parallel port, or otherexisting or future ports. Communication port 660 may be chosen dependingon a network, such a Local Area Network (LAN), Wide Area Network (WAN),or any network to which computer system connects.

Memory 630 can be Random Access Memory (RAM), or any other dynamicstorage device commonly known in the art. Read only memory 640 can beany static storage device(s) e.g., but not limited to, a ProgrammableRead Only Memory (PROM) chips for storing static information e.g.,start-up or BIOS instructions for processor 670.

Mass storage 650 may be any current or future mass storage solution,which can be used to store information and/or instructions. Exemplarymass storage solutions include, but are not limited to, ParallelAdvanced Technology Attachment (PATA) or Serial Advanced TechnologyAttachment (SATA) hard disk drives or solid-state drives (internal orexternal, e.g., having Universal Serial Bus (USB) and/or Firewireinterfaces), e.g. those available from Seagate (e.g., the SeagateBarracuda 7200 family) or Hitachi (e.g., the Hitachi Deskstar 7K1000),one or more optical discs, Redundant Array of Independent Disks (RAID)storage, e.g. an array of disks (e.g., SATA arrays), available fromvarious vendors including Dot Hill Systems Corp., LaCie, NexsanTechnologies, Inc. and Enhance Technology, Inc.

Bus 620 communicatively couples processor(s) 670 with the other memory,storage and communication blocks. Bus 620 can be, e.g. a PeripheralComponent Interconnect (PCI)/PCI Extended (PCI-X) bus, Small ComputerSystem Interface (SCSI), USB or the like, for connecting expansioncards, drives and other subsystems as well as other buses, such a frontside bus (FSB), which connects processor 670 to software system.

Optionally, operator and administrative interfaces, e.g. a display,keyboard, and a cursor control device, may also be coupled to bus 620 tosupport direct operator interaction with computer system. Other operatorand administrative interfaces can be provided through networkconnections connected through communication port 660. External storagedevice 610 can be any kind of external hard-drives, floppy drives,IOMEGA® Zip Drives, Compact Disc-Read Only Memory (CD-ROM), CompactDisc-Re-Writable (CD-RW), Digital Video Disk-Read Only Memory (DVD-ROM).Components described above are meant only to exemplify variouspossibilities. In no way should the aforementioned exemplary computersystem limit the scope of the present disclosure.

Thus, it will be appreciated by those of ordinary skill in the art thatthe diagrams, schematics, illustrations, and the like representconceptual views or processes illustrating systems and methods embodyingthis invention. The functions of the various elements shown in thefigures may be provided through the use of dedicated hardware as well ashardware capable of executing associated software. Similarly, anyswitches shown in the figures are conceptual only. Their function may becarried out through the operation of program logic, through dedicatedlogic, through the interaction of program control and dedicated logic,or even manually, the particular technique being selectable by theentity implementing this invention. Those of ordinary skill in the artfurther understand that the exemplary hardware, software, processes,methods, and/or operating systems described herein are for illustrativepurposes and, thus, are not intended to be limited to any particularnamed.

As used herein, and unless the context dictates otherwise, the term“coupled to” is intended to include both direct coupling (in which twoelements that are coupled to each other contact each other) and indirectcoupling (in which at least one additional element is located betweenthe two elements). Therefore, the terms “coupled to” and “coupled with”are used synonymously. Within the context of this document terms“coupled to” and “coupled with” are also used euphemistically to mean“communicatively coupled with” over a network, where two or more devicesare able to exchange data with each other over the network, possibly viaone or more intermediary device.

It should be apparent to those skilled in the art that many moremodifications besides those already described are possible withoutdeparting from the inventive concepts herein. The inventive subjectmatter, therefore, is not to be restricted except in the spirit of theappended claims. Moreover, in interpreting both the specification andthe claims, all terms should be interpreted in the broadest possiblemanner consistent with the context. In particular, the terms “comprises”and “comprising” should be interpreted as referring to elements,components, or steps in a non-exclusive manner, indicating that thereferenced elements, components, or steps may be present, or utilized,or combined with other elements, components, or steps that are notexpressly referenced. Where the specification claims refers to at leastone of something selected from the group consisting of A, B, C . . . andN, the text should be interpreted as requiring only one element from thegroup, not A plus N, or B plus N, etc.

While the foregoing describes various embodiments of the invention,other and further embodiments of the invention may be devised withoutdeparting from the basic scope thereof. The scope of the invention isdetermined by the claims that follow. The invention is not limited tothe described embodiments, versions or examples, which are included toenable a person having ordinary skill in the art to make and use theinvention when combined with information and knowledge available to theperson having ordinary skill in the art.

What is claimed is:
 1. A method comprising: intercepting, by a networksecurity device protecting a private network of an enterprise,information associated with an interaction with a website by a browserof a client device associated with the private network; based on theinformation, proactively determining, by the network security device,whether the website or a domain with which the website is associated hasbeen a subject of a security breach by querying a cloud-based securityservice that actively maintains a list of breached websites; and whensaid determining is affirmative, then causing, by the network securitydevice, the user to be notified regarding the security breach involvingthe domain or the website by issuing a replacement Hypertext TransferProtocol (HTTP) response message to the browser; monitoring, by anendpoint security solution running on the client device, inputs by theuser on login portals of public websites; precluding the user fromreusing passwords across public and intranet domains by comparing, bythe endpoint security solution, the inputs to one or more user passwordsfor enterprise accounts of the user; when said comparing results indetection of a match between a password for a particular public websiteand a password of a particular enterprise service, then: causing, by thenetwork security device, the user to reset the password for theparticular public website by causing the browser to be redirected to apassword change portal associated with the public website; and causing,by the network security device, the user to reset the password for theparticular enterprise service by causing the browser to be redirected toa password portal associated with the particular enterprise service. 2.The method of claim 1, wherein the list of breached websites containsinformation regarding domains and websites for which confidentialinformation of users has been exposed.
 3. The method of claim 1, whereinsaid intercepting is as a result of Domain Name System (DNS) basedfiltering or web filtering performed by the network security device. 4.The method of claim 1, further comprising prior to said querying,parsing, by the network security device, the information to extract oneor more of a Uniform Resource Locator (URL) associated with the websiteor a Common Name contained within a Secure Socket Layer (SSL)certificate of the website.
 5. The method of claim 1, further comprisingcausing, by the network security device, the user to reset passwords oftheir enterprise accounts by causing the browser to be redirected to apassword portal associated with the enterprise.
 6. A network securitysystem comprising: a non-transitory storage device having embodiedtherein one or more routines operable to alert a user of a client deviceassociated with a private network of an enterprise of security breachesrelating to websites the user visits; and one or more processors coupledto the non-transitory storage device and operable to execute the one ormore routines to perform a method comprising: intercepting, by a networksecurity device protecting the private network, information associatedwith an interaction with a website by a browser of the client device;based on the information, proactively determining, by the networksecurity device, whether the website or a domain with which the websiteis associated has been a subject of a security breach by querying acloud-based security service that actively maintains a list of breachedwebsites; and when said determining is affirmative, then causing, by thenetwork security device, the user to be notified regarding the securitybreach involving the domain or the website by issuing a replacementHypertext Transfer Protocol (HTTP) response message to the browser;monitoring, by an endpoint security solution running on the clientdevice, inputs by the user on login portals of public websites;precluding the user from reusing passwords across public and intranetdomains by comparing, by the endpoint security solution, the inputs toone or more user passwords for enterprise accounts of the user; whensaid comparing results in detection of a match between a password for aparticular public website and a password of a particular enterpriseservice, then: causing, by the network security device, the user toreset the password for the particular public website by causing thebrowser to be redirected to a password change portal associated with thepublic website; and causing, by the network security device, the user toreset the password for the particular enterprise service by causing thebrowser to be redirected to a password portal associated with theparticular enterprise service.
 7. The network security system of claim6, wherein the list of breached websites contains information regardingdomains and websites for which confidential information of users hasbeen exposed.
 8. The network security system of claim 6, wherein saidintercepting is as a result of Domain Name System (DNS) based filteringor web filtering performed by the network security device.
 9. Thenetwork security system of claim 6, wherein the method further comprisesprior to said querying, parsing, by the network security device, theinformation to extract one or more of a Uniform Resource Locator (URL)associated with the website or a Common Name contained within a SecureSocket Layer (SSL) certificate of the website.
 10. The network securitysystem of claim 6, wherein the method further comprises causing, by thenetwork security device, the user to reset passwords of their enterpriseaccounts by causing the browser to be redirected to a password portalassociated with the enterprise.
 11. A non-transitory media strongcomputer-readable source code that, when executed by a processor,performs a method comprising: intercepting, by a network security deviceprotecting a private network of an enterprise, information associatedwith an interaction with a website by a browser of a client deviceassociated with the private network; based on the information,proactively determining, by the network security device, whether thewebsite or a domain with which the website is associated has been asubject of a security breach by querying a cloud-based security servicethat actively maintains a list of breached websites; and when saiddetermining is affirmative, then causing, by the network securitydevice, the user to be notified regarding the security breach involvingthe domain or the website by issuing a replacement Hypertext TransferProtocol (HTTP) response message to the browser; monitoring, by anendpoint security solution running on the client device, inputs by theuser on login portals of public websites; precluding the user fromreusing passwords across public and intranet domains by comparing, bythe endpoint security solution, the inputs to one or more user passwordsfor enterprise accounts of the user; when said comparing results indetection of a match between a password for a particular public websiteand a password of a particular enterprise service, then: causing, by thenetwork security device, the user to reset the password for theparticular public website by causing the browser to be redirected to apassword change portal associated with the public website; and causing,by the network security device, the user to reset the password for theparticular enterprise service by causing the browser to be redirected toa password portal associated with the particular enterprise service.